29 Sep Who’s Who In Ransomware
Gangs and strains to beware of in 2023 Sponsored by Conceal
– Charlie Osborne, Cybercrime Magazine Editor-at-Large
London – Sep. 29, 2023
Ransomware is one of the most virulent and difficult security challenges organizations face. Cybersecurity Ventures predicts ransomware will attack a business, consumer, or device every two seconds and will cost victims $265 billion USD annually by 2031.
Our goal with this report is to provide a window into the organized gangs who are planning and executing the attacks. Knowledge is power in the war against ransomware criminals.
WHAT IS RANSOMWARE?
Ransomware is a malware variant designed to deny a user access to their files or systems and is roughly separated into crypto and locker types — although many ransomware families today combine these capabilities and more.
Once ransomware has successfully infected a target machine or network, its operators attempt to extort their victims. Individuals were once most at risk from ransomware hidden within malicious attachments to emails, suspicious links, and drive-by downloads, but now, organizations are, by far, the most lucrative and appealing targets to criminals.
Today’s threat actors will use the lure of a decryption key (which may or may not work) to pressure the target into paying. Furthermore, businesses may find themselves subject to data theft-related extortion.
Ransomware moves laterally across networks, often propagating to connected PCs and storage drives. Depending on the sophistication of the original programmer, various levels of encryption will be implemented to protect the malware from reverse engineering and to ensure victim systems are resistant to decryption efforts.
Furthermore, ransomware families come in a variety of programming languages ranging from C++ to Rust and Golang (Go).
Well-known ransomware variants and operators include Alphv/BlackCat, WannaCry, CryptoLocker, Conti, Evil Corp, Grief Group, and Lace Tempest.
RANSOM DEMANDS
Ransomware gangs are, in almost every case, financially motivated. These cybercriminals will stop at nothing to be paid — whether this means locking up your personal information or grinding the operations of a Fortune 500 company to a halt.
Victims will be directed to websites on the Dark Web and secure chat platforms to make a payment or negotiate a ransom. To disguise their tracks, ransom demands are made in cryptocurrency, most often in Bitcoin (BTC) — although other virtual coins including Ethereum (ETH) and Monero (XMR) occasionally make an appearance.
To date, the largest ransomware payout was reportedly made by CNA Financial, a major U.S. insurance company. Reports suggest the firm paid $40 million USD in an attempt to regain access to its systems following an attack by a ransomware group.
Another notable ransom payout was made by Caesars in September, that of $15 million USD, after a ransomware gang compromised the Caesar’s Rewards loyalty program database. The cybercriminals agreed not to publish user data if a payment was made — although it remains to be seen if they keep their promise.
There were 2,085 significant business-related ransomware incidents between Jan. and Jun. 2023, a 67 percent year-on-year increase, according to NCC Group data. Researchers say the increase “has in no small part been heavily influenced by the increasing numbers of RaaS operators and the ever-evolving ransomware/data exfiltration business model.”
Ransom demands frequently reach millions of dollars, with many others falling within the range of five to six figures. If victims refuse, they may find themselves publicly “named and shamed” on leak sites and their confidential information may be leaked or sold.
GLOBAL RANSOMWARE COSTS
Ransomware is now synonymous with a thriving cybercrime economy.
While ransomware infections were once considered a consequence of visiting illicit websites or downloading illegal, cracked software, it is now a weapon of choice for cybercriminals indiscriminately attacking individuals, SMBs, and Fortune 500 organizations alike.
Ransomware continues to evolve for one reason: reaching greater heights in financial extortion. Despite CISOs and cybersecurity teams pouring resources into ransomware protection, and law enforcement cracking down on the lucrative, illegal industry worldwide, ransomware showed no signs of stopping this year.
Ransomware gangs are relentlessly jockeying for position as the most dangerous threats to network defenders.
The U.S. Financial Crimes Enforcement Network (FinCEN) says that ransomware poses a significant threat to businesses and the public. For example, suspicious transactions suspected of being tied to ransomware and reported under the Bank Secrecy Act reached $1.2 billion USD in 2021.
FinCen analysts claim that Russian cybercriminals are at the heart of many ransomware variants used today, accounting for 75 percent of ransomware-related incidents. Furthermore, the five highest-grossing ransomware variants are said to be connected to Russian threat actors.
“Financial institutions that ignore their regulatory obligations put themselves, U.S. citizens and companies, and the entire financial system at risk,” FinCen added. “They are opening the door to all manner of threats, including Russian illicit finance, cybercrimes and ransomware, drug or human trafficking, or other heinous crimes.”
Cybersecurity Ventures predicts that by 2031, ransomware will cost its victims approximately $265 billion, based on a 30 percent year-over-year growth over the next decade.
The costs include ransom payments, damage and destruction of data, lost productivity, theft of intellectual property, personal and financial data exposure, post-attack disruption to the ordinary course of business, forensic investigation, restoration and deletion of hacked data and systems, and reputational harm.
Cybersecurity Ventures predicts that a ransomware attack will strike a consumer or business every two seconds by 2031.
CYBERINSURANCE
Insurance is considered to be a way to mitigate the cost of ransomware. In the first quarter of 2023, ransomware-related claims rose by 27 percent, with analysts saying the average loss amount for victim organizations was over $365,000 USD.
Insurance underwriters are far from unaware that cybercrime, whether grassroots or state-sponsored, now represents a serious threat to modern businesses. Consequently, the industry is in a state of flux and is changing at a rapid pace, with some insurers implementing exceptions to prevent payouts after state-sponsored attacks.
PWC’s Insurance Banana Skins 2023 report, developed in conjunction with the Centre for the Study of Financial Innovation (CSFI), cited cyber risks as the top concern of insurers over the next two to three years. The findings reflected a rise in claims, the growing sophistication of cybercriminals, state-sponsored campaigns, and the insurance industry’s own fears of being attacked.
Unfortunately, it may be cheaper — in consideration of time lost, business disruption, and the demand itself — for some companies to pay out a ransom, rather than rely on restoration efforts, backups, and insurance claims.
“The process and governance requirements of insurance make it difficult to access funds in itself, but there is an increasing cyber risk as insurers have a wealth of sensitive data that bad actors find valuable,” according to PWC.
OPERATION LANDSCAPE
Ransomware operations can take many forms. Unsophisticated gangs might rely on phishing and spam, whereas other more advanced groups may take the time to perform reconnaissance first and select their targets carefully and quietly.
In some cases, groups buy commercially available ransomware licenses, a practice known as Ransomware-as-a-Service (RaaS), whereas others may develop custom digital weaponry and jealously guard their creations for exclusive use.
What should be remembered is that many ransomware operations have evolved to the point they are structured in a similar way to businesses today.
Ransomware gangs may hire professionals to perform different roles, provide customer service and support, collaborate with other cybercriminals, or take “commissions” when a client using their ransomware strain successfully extorts payment from a victim.
Many ransomware gangs specifically target what is known as “Big Game.” Big Game are high-profile, high-value enterprise firms with large annual revenue streams — as well as a lot to lose if they experience downtime. Theoretical examples of Big Game targets would be Apple, Microsoft, Okta, Amtrak, or Sony.
The motive behind targeting Big Game is the possibility of higher payouts, often reaching millions of dollars.
Heidrick & Struggles’ 2023 Chief Information Security Officer (CISO) survey revealed that artificial intelligence, geopolitical challenges, and cyberattacks — including ransomware and state-sponsored threats — are considered the most significant organizational risks today.
Some of the most high-profile ransomware attacks this year include:
- ROYAL MAIL: The U.K. national mail service, Royal Mail, was struck by LockBit in January. The ransomware attack resulted in domestic and international shipments being delayed, with employees locked out of crucial operational files and systems. LockBit demanded an $80 million USD ransom. Royal Mail officials refused and branded the demand “absurd.”
- DISH NETWORK: In Feb. 2023, breach notification letters sent by Dish Network revealed that a ransomware attack exposed confidential records and sensitive information belonging to current and past employees. Reports suggest a ransom was paid as the company “received confirmation that the extracted data has been deleted.”
- REDDIT: Also in Feb. 2023, employees of the popular online forum fell for a phishing campaign, granting attackers access to internal information. Alphv/BlackCat threat actors demanded $4.5 million USD in ransom, alongside a rollback of controversial API changes.
- CAESARS: The Caesars Entertainment casino chain paid out $15 million USD to cybercriminals following a ransomware attack that led to the theft of customer data from its loyalty program database, taking place in Sep. 2023.
- MGM RESORTS: MGM Resorts was subject to a ransomware attack on the heels of Caesars. Two ransomware groups claimed responsibility — Alphv/BlackCat and Scattered Spider — but in either case, MGM properties faced check-in system failures, digital key cards becoming unresponsive, and a return to cash-only payments for over a week.
- JOHNSON CONTROLS: In late Sep. 2023, Johnson Controls International suffered a severe ransomware attack with company devices and VMware ESXi servers becoming encrypted. The industrial giant, and its subsidiaries, have been severely impacted because of technical outages which have also spilled out into customer portals.
GEOPOLITICS
If you consider ransomware a business — albeit a criminal enterprise — the state and fluctuations in politics, law, and the economy can impact the industry.
Ransomware operators, especially the state-sponsored, do not operate in a vacuum and may also launch politically motivated attacks.
For example, suspected Russian hackers attacked global communications firm Viasat, with their primary target being the Ukrainian military, before the invasion began. Since then, Microsoft has tracked a group dubbed Cadet Blizzard, linked to the Russian GRU, that is suspected of many attacks against Ukrainian infrastructure.
Google’s Threat Analysis Group (TAG) says that Ukraine has been the main focus of Russian threat actors in 2023.
A local government’s attitude to cybercrime can also change its relationship with other political factions.
For many years, the Kremlin has made superficial promises to crack down on cybercrime. This failure to rein in cybercrime has global consequences. Before the invasion of Ukraine, for example, Russia was not invited to a White House meeting with global leaders on how to disrupt ransomware operations, and other countries have since expanded threat intelligence-sharing deals.
Russia recently proposed a UN international treaty on cybercrime with support from China and North Korea, but companies including Microsoft have warned the draft only seeks to justify citizen surveillance and crackdowns on online dissent, rather than tackle digital crime.
In 2022, the U.S. and Canada renewed the Cross-Border Crime Forum (CBCF) to improve reporting practices concerning ransomware attacks impacting cross-border critical infrastructure. In the same year, representatives of the U.S. and EU met to share best practices and to discuss collaboration in fighting ransomware, now described as “a global problem that requires cooperation on a worldwide level.”
The U.S., U.K., and EU are constantly critical of Russian, Chinese, and North Korean leadership for allegedly abetting ransomware attacks originating from their respective countries.
TACTICS
The tactics utilized by today’s cyberattackers are as varied as their targets. Ransomware groups may conduct an attack from start to finish themselves, or they may choose to hire other criminals to streamline the process. For example, it is possible to purchase initial access to networks on the Dark Web, and many of these brokers specialize in finding entry points suitable for cyberespionage and malware deployment.
Methods used by ransomware groups to compromise their victims are below:
SPAM & PHISHING: A common way ransomware spreads is through mass generic spam emails and social media links, leading to the download of malicious attachments or drive-by downloads. However, attacks may be more likely to succeed when social engineering is involved.
BRUTE FORCE ATTACKS: Automated brute force attacks are used to try and obtain user account credentials and gain a foothold in a target network. You may also find automated attacks take place after ransomware operators are in a network, as they may be looking for additional user accounts and servers to infect.
INITIAL ACCESS BROKERS: Also known as IABs, initial access brokers are traders on the Dark Web who sell initial access points to companies, including stolen credentials or working RDP tunnels. By purchasing initial access, ransomware gangs can avoid a time-consuming stage of the attack chain and go straight into network reconnaissance or infection.
RECONNAISSANCE, SOCIAL ENGINEERING: Sophisticated ransomware groups will often perform surveillance on a target to learn about them and any related business connections, friends, or family members.
They may also conduct Open Source Intelligence (OSINT) activities to gather public knowledge about their targets. Armed with this information, attackers may masquerade as trusted contacts to lure victims into unwittingly executing ransomware. As we observed in the recent MGM Resorts hack, it can take mere minutes to obtain the right credentials for a victim network with the right preliminary research.
REMOTE DESKTOP PROTOCOL: Exploitation of the remote desktop protocol (RDP) is a common way for ransomware operators to intrude on your network. RDP is exploitable through software vulnerabilities and hijacking user accounts, logged in through off-site locations.
EXPLOIT KITS: Exploit kits, such as Angler, RIG, and Blackhole may all bundle ransomware into a malicious package, combining it with software exploits to gain access to a vulnerable computer.
INSIDERS: If a cyber gang can find a disgruntled employee, they may become an insider threat. The employee may be offered cash or a percentage of a ransom to deploy a malicious payload from inside a company’s network or “fall” for a phishing attempt. Employees may also become unwitting, accidental insiders if they make genuine mistakes.
DOUBLE EXTORTION: Double extortion consists of two tactics to extort payment. Confidential data is stolen before encryption, and then cybercriminals threaten to publish this information online unless they are paid.
TRIPLE EXTORTION: A new, concerning trend is that of triple extortion. As noted by the World Economic Forum, some ransomware operators are now attempting data theft and extortion of the victim organization, and should the entity refuse, they will contact individuals involved in the breach to demand payment in return for their data staying confidential.
LEAK SITES: Leak sites are hosted on both the Clear and Dark web. These websites act as name-and-shame portals for ransomware victims, who are threatened with their data being published if a ransomware payment is not made by a specific date or time. Names may also appear prior to data leaks as a method to exert further pressure on compromised organizations.
RANSOMWARE GANGS
As some ransomware gangs form and others close or rebrand, the ones to watch are constantly moving targets. However, below we highlight the most prominent and interesting ransomware gangs to watch in 2023.
- 8BASE: 8base is a ransomware group, active since Mar. 2022, that operates a leak site and targets organizations primarily in IT, business, finance, and manufacturing. A provincial Canadian government entity paid 8base a ransom to prevent data belonging to roughly 1.47 million individuals from being leaked.
- ABYSS LOCKER: Abyss Locker, launched in Mar. 2023, is a new group of extortionists that has claimed at least 14 victim organizations. Abyss Locker targets VMware ESXi servers and conducts double-extortion plays to force victims into paying a ransom.
- AKIRA: Launched in Mar. 2023, Akira is a new entrant focused on attacking organizations in finance, property, education, manufacturing, and more. This operation is not believed to be the same as the Akira group from 2017.
- ALPHV/BLACKCAT: The RaaS gang was first detected in late 2021 and is notable due to the unusual use of the Rust language. Affiliates have adopted the BlackCat ransomware in their droves and the group is thought to have ties with Scattered Spider. Alphv hackers claim that in a recent attack against MGM Resorts, it took no more than a 10-minute phone call to compromise the hospitality giant’s systems. The group has also been associated with the Sphynx encryptor.
- AVOSLOCKER: AvosLocker has been peddling its wares on underground forums since at least 2021. The RaaS gang has conducted high-profile attacks against the healthcare sector. In May 2023, AvosLocker compromised a mass alert system belonging to a school in Virginia, Bluefield University, to threaten students and employees.
- BABUK: Babuk’s source code was leaked in 2021. Smaller ransomware threat actors, including Ransom House and Play, are utilizing the code to build ESXi lockers. The alleged leader of Babuk was indicted and sanctioned by U.S. authorities in May.
- BIANLIAN: BianLian uses a Go-based ransomware and infrastructure that first appeared in Dec. 2021. Researchers have taken note of this threat due to the malware’s high encryption speeds. While a free decryptor was released, in Mar., researchers noted a pivot in tactics to rely purely on data theft and extortion to generate income. In September, the non-profit organization Save the Children said BianLian was to blame for a ransomware attack and the theft of 7TB of sensitive data related to the charity’s work.
- BLACK BASTA: First discovered in Apr. 2022, Black Basta is a relatively new entry that has already claimed at least 50 organizations as victims. Investigations are underway, but some evidence points toward a Russian origin. The ransomware group reportedly claimed Swiss multinational company ABB as a victim in May after compromising the firm’s Windows Active Directory. Researchers suspect real-world connections between Black Basta, Hive, and Royal.
- BLACKBYTE: BlackByte has claimed victims worldwide, ranging from Mexico to Vietnam. The RaaS group is a Big Game hunter and runs an interesting blackmail model: victims can pay smaller amounts to delay the publishing of stolen data and higher sums for downloads or deletion. BlackByte has adopted double-extortion methods.
- BL00DY: The FBI and CISA issued a joint warning in May, urging organizations to be on the alert against Bl00dy, a ransomware gang utilizing PaperCut vulnerabilities to attack the education sector.
- CL0P: A RaaS service and prolific threat group, CLOP/CL0P has extorted an estimated $500+ million from victim organizations. While arrests have taken place, the RaaS service is alive and well. A Linux version of the ransomware appeared in December, but thanks to a design flaw, a decryptor has been released. Over Q3, CL0P claimed over 400 victims via a zero-day exploit in MOVEit transfer software, utilized to steal data from corporate networks. The U.S. government is offering a $10 million USD bounty for information on the group.
- CONTI/WIZARD SPIDER: When Russia invaded Ukraine, Conti pledged its support to Russian President Vladimir Putin. A disgruntled researcher responded by breaking into the gang’s systems and leaking their files, leading to Conti’s retirement. Researchers suspect members moved to BlackCat, AvosLocker, Hive, and HelloKitty. Alleged members have been indicted by U.K. and U.S. authorities.
- CUBA: Since Dec. 2021, the Cuba ransomware outfit’s number of U.S. victims has doubled with increased payouts. Links are suspected with RomCom RAT and Industrial Spy ransomware. Recent attacks have been recorded against critical infrastructure in Latin America.
- CYCLOP/KNIGHT: Formerly known as Cyclop, Knight is a rebranded version of the RaaS outfit that distributes itself in spam campaigns. Lately, campaigns have included fake TripAdvisor
- DARKANGELS: Potentially a rebrand of Babuk, DarkAngels emerged in 2022 and conducts highly targeted attacks.
- DARKBIT: The DarkBit group attacked one of Israel’s leading research universities in 2023. DarkBit appears to have a political ax to grind, considering its ransom note was laden with anti-Israel messaging.
- DARKSIDE: DarkSide, believed to be based in Eastern Europe, caused fuel panic-buying in the U.S. in 2021 after hitting Colonial Pipeline. The RaaS service reportedly counted Brenntag and Toshiba Tec among its victims. The group said it was shutting down in 2021, but as we know, many ransomware gangs retire a brand, regroup, and then reemerge under a new name.
- DAIXIN TEAM: Daixin Team was allegedly responsible for a Nov. 2022 cyberattack against AirAsia, resulting in the leak of passenger and staff data. Additionally, Daixin Team attacked B&G Foods in Feb. 2023.
- DEADBOLT: Active since Jan. 2022, the Deadbolt ransomware group demands Bitcoin following the encryption of QNAP NAS drives. In Oct. 2023, Dutch police tricked the group into handing over 150 decryption keys. Still, thousands of victims have been claimed.
- DOPPELPAYMER: The suspected rebrand of BitPaymer, DoppelPaymer tended to strike organizations in healthcare, education, and emergency services. After disrupting a German hospital, prosecutors attempted to pursue the hackers with negligent homicide, but the case was eventually dropped due to a lack of evidence. It is thought that the gang has rebranded to Grief Group.
- EVIL CORP: Known for its attack on CNA Financial, Evil Corp is a group believed to be based in Russia. In Jul. 2022 last year, Microsoft linked the use of the Raspberry Robin worm and FakeUpdates malware to the gang.
- FIN7/SANGRIA TEMPEST: FIN7 is a notorious Russian hacking group that remerged in May. Having previously deployed REvil and Maze ransomware, the gang is now using CL0p ransomware in targeted attacks.
- GRIEF GROUP: Suspected of being a rebrand of DoppelPaymer and also known as PayOrGrief, the gang managed to secure over $10 million in ransom payments mere months after launch. Rebrand aside, Europol has raided the homes of individuals suspected of being the masterminds of DoppelPaymer attacks.
- HARDBIT: First observed in Oct. 2022, HardBit takes negotiation to the next level. The gang will try and convince its victims to reveal cyber insurance policy information so a ransom demand can be made within payout parameters.
- HELLOKITTY/FIVEHANDS: HelloKitty/FiveHands, likely Ukrainian and with ties to Russian cybercriminals, is best known for stealing information from game developer CD Projekt Red. HelloKitty will launch DDoS attacks against victims who refuse to pay.
- HIVE: Hive has operated a RaaS service since at least 2021. Hive actors victimized at least 1,500 companies worldwide, receiving at least $100 million USD in payments. In 2023, the U.S. DoJ announced the FBI’s infiltration of Hive’s network, with its infrastructure dismantled and over 300 decryption keys released to victims.
- INDUSTRIAL SPY: Industrial Spy emerged in Apr. 2022 and will either steal data for extortion alone or conduct theft and deploy ransomware.
- LACE TEMPEST: Microsoft believes Lace Tempest is a CL0p ransomware affiliate. The ransomware group has been observed using GoAnywhere exploits, the Raspberry Robin dropper, Cobalt Strike beacons, and exploits against the PaperCut printer management system in attacks since at least April. Lace Tempest has also been connected to MOVEit exploitation.
- LAPSUS$: LAPSUS$ was an infamous group that conducted a double-extortion hacking spree, claiming high-profile victims including Microsoft, Nvidia, and Okta. While no longer active, a 16-year-old from the U.K. who still lived with his mother is suspected of being a leader, and another alleged member was arrested in Brazil.
- LOCKBIT: According to Digital Shadows, LockBit infection rates outstrip every other group by a substantial margin, accounting for over 30 percent of all recorded infections. LockBit took credit for an attack on the U.K.’s Royal Mail service in January. Although Darktrace denies these claims, LockBit boasts of infiltrating the cybersecurity firm’s systems. LockBit has recently begun targeting Apple macOS devices and there has been a recent uptick in attacks against U.S. government offices.
- MALASLOCKER: Emerging in Mar. 2023, MalasLocker attempts to paint itself as Robin Hood, with ransom demands packaged as donations to charity in return for a decryption tool and to prevent the public leak of stolen data.
- MEDUSA: Medusa ramped up its activity this year with a rash of attacks, million-dollar demands, and the launch of a leak site. An Australian cancer treatment center received a $100,000 USD demand in May 2023. Medusa also leaked what is allegedly Microsoft source code. In Sep. 2023, the National Privacy Commission (NPC) received a notice from Philippine Health Insurance (PhilHealth) of an alleged Medusa ransomware attack.
- MEDUSALOCKER: Not to be confused with the aforementioned Medusa group, MedusaLocker criminals exploit vulnerable Remote Desktop Protocol (RDP) configurations and primarily target healthcare organizations. To these criminals, the COVID-19 pandemic represented an opportunity to expand its activities.
- MONEY MESSAGE: Money Message claimed responsibility for the breach and theft of source code from Micro-Star International (MSI), with screenshots of stolen data later posted on a leak site.
- MORTALKOMBAT: MortalKombat is a ransomware variant spread through cryptocurrency-themed phishing emails. As the ransomware was only observed in early 2023, little is currently known about the threat actors behind it beyond that the majority of victims are based in the U.S. This hasn’t stopped researchers from releasing a decryption tool.
- NETWALKER: In 2020, Netwalker attacked the University of California SF. To salvage its research, the educational institution paid the group $1.14 million USD. A Canadian national and affiliate of the group has been sentenced to 20 years behind bars.
- NEVADA: In Feb. 2023, the sudden emergence of a new ransomware gang, dubbed Nevada, captured the attention of researchers. The group reportedly attempted to compromise roughly 5,000 systems belonging to organizations ranging from shipping to construction firms.
- NOESCAPE: NoEscape, suspected of being Avaddon’s successor, launched in Jun. 2023 and began targeting organizations in double-extortion attacks. Some ransom demands reach over $10 million USD.
- NOKOYAWA: Nokoyawa is a relatively new entry that is still being investigated by researchers. The group is suspected of a link with Hive, which hit the headlines in 2021 after breaching approximately 400 organizations. Cybercriminals exploited a Microsoft Windows zero-day vulnerability to deploy Nokoyawa payloads prior to being patched.
- ONYX: Onyx operators focus on the U.S. This group conducts double-extortion attacks and may destroy data rather than encrypt it. Guatemala’s Foreign Ministry was added to the Onyx leak site’s victim list in 2022.
- PANDORA: Pandora, a suspected rebrand of ROOK, has targeted high-profile organizations including automotive giant Denso Corp in 2022.
- PLAY: Launched in Jun. 2022, Play is ransomware linked to attacks against Argentina’s Judiciary of Córdoba and A10 Networks. The gang continues to enhance its weapon portfolio, having recently introduced two new custom tools in .NET. One of Play’s confirmed victims is Dutch shipping giant Royal Dirkzwager.
- RA GROUP: RA Group is using leaked Babuk source code to compromise organizations in the U.S. and South Korea. The new gang, in operation since roughly Apr. 2023, has claimed victims in manufacturing, wealth management, insurance, and pharmaceuticals — at the least.
- RAGNAR LOCKER: Ragnar Locker, both malware and a group itself, has been on the FBI watchlist since 2020. The group has attacked organizations in industries including energy, infrastructure, and financial services — as well as a misplaced attack against Dutch police. Israel’s Mayanei Hayeshua Hospital is one of the latest victims to appear on Ragnar Locker’s leak site.
- RANSOMED.VC: Reports suggest that newcomers to the field, Ransomed.vc, claimed to have infiltrated Sony systems in September and were offering stolen data for sale on the Dark Web — but the proof was scant. Another threat actor, MajorNelson, refuted these claims and published a large dataset, claiming responsibility. Sony is investigating.
- RANSOMEXX: RansomEXX appeared in 2018 under the name Defray777 and remains active today. The RaaS service has links to the Gold Dupont group. According to Trend Micro, the ransomware marked the first time a major Windows strain expanded to Linux. A March data leak post made by the group claimed Ferrari was among its victims.
- RHYSIDA: Rhysida claims to be a “cybersecurity team” that helps organizations secure their networks. In reality, the RaaS operation targets education, government, manufacturing, and tech, but little more is known about the group, beyond reports that Rhysia successfully attacked the government of Kuwait.
- ROYAL: First spotted in 2022, Royal appears to focus on the healthcare sector, demanding millions of dollars in blackmail payments following successful attacks. Royal seems to be a private criminal gang rather than a RaaS service. Royal caused significant damage to government systems belonging to the City of Dallas by using a stolen account for initial entry.
- RYUK: Emerging in 2018, Ryuk ransomware has been connected to Emotet and Trickbot botnet operators. This ransomware was employed before the group behind Ryuk campaigns, Wizard Spider, switched to Conti. A Russian national extradited to the U.S. in 2022 pleaded guilty to laundering the proceeds of Ryuk ransom payments. A crypto broker connected to Ryuk was issued a light sentence following a guilty plea.
- SANDWORM: Russian-backed Sandworm has launched the novel RansomBoggs ransomware against Ukrainian organizations. Also known as BlackEnergy, this group is not specifically focused on ransomware; rather, it is known to also use wiper malware against its targets and an Android infostealer called Infamous Chisel. New, destructive features were added to Sandworm malware in early 2023.
- SHADOWSYNDICATE: Previously known as Infra Storm, ShadowSyndicate first emerged in Jul. 2022 and is an unusual RaaS affiliate, having utilized at least seven different ransomware families to date. Connections with high confidence have been made with Quantum, Nokoyawa, and Alphv.
- SNATCH: Active for many years, Snatch ransomware forces a compromised PC into reboot mode before encryption occurs. Attacks recorded include an incident involving the Californian city Modesto and a Wisconsin school. However, security expert Brian Krebs recently revealed the group is exposing data concerning its location and operations.
- SODINOKIB/REvil: Sodinokibi, or REvil, is a Russian-speaking group focusing on high-value targets. Past victims include Kaseya. In Mar. 2022, the U.S. DoJ charged an alleged group member for participating in the attack. Recent analysis suggests REvil may, once again, be under active development.
- SOPHOSENCRYPT: Originally thought to be a part of a red team exercise by cybersecurity firm Sophos, SophosEncrypt is a RaaS operation providing an encryptor, written in the Rust language.
- THANOS: The Thanos RaaS service and “create your own” ransomware software service was a one-man-band created and licensed by a Venezuelan doctor. An FBI investigation led to his arrest.
- VICE SOCIETY: Joining the scene in 2021, Vice Society is a group that employs double-extortion tactics against victim organizations. However, the group does not develop its own malware; instead, it prefers to rely on commercial malware. This year, Vice Society has focused on attacking British schools and manufacturing companies.
- YASHMA/CHAOS: Yashma is potentially a rebrand of Chaos, although the development family tree is unclear. Researchers consider this ransomware strain — and its users, the Onyx group — dangerous considering its flexibility. U.S. emergency services are among its victims.
- YANLUOWANG: The Yanluowang ransomware gang was linked to a confirmed attack against Cisco in May 2022. Yanluowang added the tech giant to its leak site, claiming the theft of 2.75GB in stolen data.
- ZEPPELIN: Zeppelin, a derivative of the Delphi-based Vega malware family, is a RaaS service known to have targeted enterprise companies, healthcare, and medical organizations since 2019.
RANSOMWARE PROTECTION
There are many ways to protect yourself and your organization against ransomware, but for businesses today, it’s not a case of if, but rather when, a cyberattack or breach occurs.
Organizations can adopt a variety of practices to increase their security hygiene. Microsoft says that 98 percent of attacks can be avoided by implementing basic cyber resilience practices, including:
- Keeping operating systems and software up-to-date
- Analyzing the risk of new vulnerabilities and patching promptly
- Being aware of, and providing training for employees to recognize phishing and social engineering attempts
- Enabling multi-factor authentication on user accounts. Consider Yubikeys and biometrics
- Avoiding suspicious websites and implementing firewalls
- Implementing zero-trust policies in user management
- Maintaining regular, offline backups separate from your main systems
- Creating an incident response plan considering damage limitation, forensics, and legal aspects
RANSOMWARE RESOURCES
The official U.S. Cybersecurity & Infrastructure Agency website, CISA.gov, has provided an in-depth guide for business leaders and responders, which can be accessed here. A key thing to remember is that even if you pay a ransom, there is no guarantee that your systems will be restored or your files will be returned.
StopRansomware.gov is the U.S. Government’s official one-stop location for resources to tackle ransomware more effectively.
Click here to report a cyber incident to CISA.
Click here to report a ransomware incident to the FBI.
The Mitre Ransomware Resource Center helps healthcare delivery, supply, and support organizations become more resilient to threats from ransomware.
The No More Ransom project provides decryption keys.
Cybercrime Magazine provides a feed covering the latest ransomware incidents.
– Charlie Osborne is an Editor-at-Large for Cybercrime Magazine
Go here to read all of Charlie’s Cybercrime Magazine articles.
About Conceal
Conceal provides a capability that protects people and critical assets against the most advanced threat actors in the world. We are fundamentally changing the approach to cybersecurity by creating a platform where security practitioners can see the latest threat vectors and implement enterprise-wide solutions that comprehensively protect their organization.
With our Conceal platform, we take those core capabilities and evolve them into a commercially available product that incorporates intelligence-grade, Zero Trust technology to protect global companies — of all sizes — from malware and ransomware.
Conceal is leading the fight to protect enterprises from cyber threats — if there is malware, we detect, defend and isolate it from users and the network.